App vulnerabilities on the up as banks add new features

By Emma Olsson | 26 June 2020

An increase in mobile banking application features may make them more vulnerable to fraud, experts say.

According to Nikolay Anisenya, mobile application security research team lead at Positive Technologies, fraud protection is largely out of customers’ control.

“As a customer, unfortunately you cannot do much to protect yourself from the banking app vulnerabilities, so you need to try to choose those banks who seem to make a more stable application,” he says. But as most banks do not disclose their vulnerabilities, choosing a bank based on security is difficult.

Anisenya cites a report by Positive Technologies published last week which suggests that half of all mobile banking apps are vulnerable. The research focuses on traditional banks, not digital-only challengers.

Mobile banking has grown as the pandemic has forced physical branches to close. Research by JD Power found that the four largest US banks saw a jump from 63 percent of clients using mobile banking last year to 72 percent just in April.

This influx of new mobile users has caused banks to swiftly add new features to their apps.

“When you increase the number of features provided on an application, the probability of the number of vulnerabilities increases,” says Anisenya.

Tom Lysemose Hansen, chief technology officer at app security provider Promon, echoes this statement.

“It’s logical to assume that the more rushed a feature is, the more likely it is to be flawed,” said Lysemose Hansen in an email.

“With more and more client-side security threats coming to light every day, it’s vital that feature-rich apps are protected from being tampered with by cybercriminals waiting for those flaws to be exposed.”

Others are sceptical.

“It is unlikely that expanding features and capabilities of existing mobile banking apps, complete with multi-factor authentication, will put customers at risk,” said Paul Hampton, senior manager and payments security expert at Thales, in an email.

“However, people should remain vigilant as we have seen criminals actively targeting people who are new to electronic banking and attempting to use the pandemic as a means to coerce people into installing fraudulent applications or visit fraudulent websites masquerading as their real bank.”
While challenger banks tend to offer more mobile app features than incumbents, it is unlikely that they are more susceptible to fraud due to increased security.

“The main difference between the traditional banks making applications and challenger banking applications is that the challenger bank apps are more complex, because they don’t have physical offices to meet their customers. Their digital office is a banking application, so they are often more complex,” says Anisenya.

“The more complex an application you have, the wider an attack surface you have, so an attacker has more entry points to research and the potential number of vulnerabilities increases. That is the main difference, but challenger banks can spend more money and invest more funds into application development, also in security aspects.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development